It's Time to get Serious About PrivacyData Security Does not Equal Privacy, and Other Misconceptions
See Also: Passwords Alone Aren't Enough
I buy into Forrester's statement: "Privacy is a game changer: it will be to organizations in 2016 what websites were to companies in 2000." But for it to be a true game changer, then privacy strategy can no longer merely focus on aligning with regulatory requirements. The discussion has to evolve into how privacy can help organizations drive business growth.
Privacy can be a true game changer for Indian enterprises in 2016. But to get there, privacy practitioners and leaders must help ensure discussion evolves into how privacy can help organizations drive business growth.
But to get there, we must first overcome a host of challenges and confusion prevailing among Indian enterprises about the stark differences between data privacy and security.
Data Privacy Delusions
So, when organizations around the globe are actively implementing privacy programs, meeting their customer demands and winning their confidence while leveraging technological advancements in protecting personal data, why does India lag behind in establishing privacy programs?
In my opinion, there are a few misconceptions that are inhibiting the implementation of privacy programs:
- Since there is no overarching privacy law in India, it is mistakenly assumed that organizations need not bother about data privacy;
- Data privacy is often equated with data security and, therefore, wrongly categorized under part of the information security program;
- Even with those who understand the difference between privacy and security, the scope and depth of what it means to institute a privacy program are often underestimated;
- Privacy is often misconstrued as creating a hindrance to business growth and in developing specialized services;
- Most important, no function - be it security, business, legal or compliance - seems to be taking the ownership of data privacy in organizations;
Understanding Data Privacy
There is an immediate need for organizations to take cognizance of the imperatives of privacy. Because as we see every day in the global news, under the placid waters of the corporate network, hackers lie in wait to launch a breach, targeting sensitive personal information.
I advise security practitioners to take the ownership of driving the privacy program in their organzations, and simultaneously influence senior management to elevate privacy strategy beyond the legal and compliance. and pulling in the stakeholders such as marketing and HR who deal with personal information of customers and employees.
It is imperative for practitioners to understand: Data privacy does not equate to data security. And CISOs need not wait until the government rolls out the 'Right to Privacy Bill.' They need to comply with the IT Act, which clearly defines personal information and sensitive personal information and has specified the sensitive data protection rules which outline the basic principles of data privacy. These privacy principles are sadly missing from many enterprises.
Many practitioners seem to be oblivious of the fact that section 72A of the IT Act prescribes penalties for any misuse or compromise of personal information that can involve a fine up to $5000 and imprisonment up to three years. Under section 43A, compromise to sensitive personal information can lead to penalties close to $1 million.
Unfortunately, the biggest holder of the entire country's personal data is the government, which does not come under the ambit of this Act today.
Next Privacy Steps for CISOs
Given the pace at which privacy laws and technology are changing globally, it is hard to keep your finger on the pulse. The EU recently arrived at a consensus on the General Data Protection Regulation, a regulation touted 'to make Europe fit for the digital age.' And technological changes from connected devices, IOT, cloud and data collection & analytics or new products and initiatives within your own business only add to the challenge.
Some of the imperative questions CISOs need to be asking are:
- What are the top privacy risks companies need to address?
- What happens to the collected data, how is it collected and stored, what is it being used for, who all have access to it, which external parties is it being shared with?
- How do we create needed visibility into the data which is needed to roll out a privacy program?
It is heartening to see industry bodies such as DSCI developing frameworks to enable organizations to implement privacy programs and also educate practitioners on distinguishing privacy from security. Regulators like RBI and IRDA, have also been enunciating recommendations on how to ensure the privacy of customer data and privacy rights of customers.
But now it's time for security leaders to stand up and ensure these privacy recommendations are adhered to by their companies in a serious fashion.Shivangi Nadkarni is Co-Founder & CEO of Arrka Consulting, a firm specializing in Information Security, Data Privacy and User Awareness.